SlideShare a Scribd company logo

Practical Differential Fault Attack on AES

Riscure
Riscure

Originally presented in 2013 by Riscure's Marc Witteman.

Technology
1 of 18
Download to read offline
Practical DFA on AES Marc Witteman – CTO June 13, 2013
DFA on AES, how hard is that? • 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults • 2013 Christophe Giraud and Adrian Thillard 1 fault • 2013 Riscure up to 50 faults Is Riscure stupid? 2
Outline • How does single fault DFA on AES work? • What’s wrong with single fault DFA? • So, how does Riscure do DFA? • Demo 3
Fault impact on AES • Inject fault before ultimate MixColumn Fault randomly changes chosen byte • MixColumn propagates fault in column • ShiftRow propagates fault to 4 cells • One fault affects 4 output bytes 4 AddKey Substitute ShiftRow AddKey Output Substitute ShiftRow MixColumn Fault 9th round 10th round MixColumn ShiftRow
Finding the fault value • Fault in specific byte propagates to 4 output bytes • Each fault pair of correct and faulty output bytes halves the number of values for the random fault Out0 on fault Out7 on fault Out10 on fault Out13 on fault Outall on fault Group of 4 affected output bytes reduces possible fault values in known byte to about 15
Finding the key value • A specific fault value matches with two key values • Group key space reduced from 32 bits to ~8 bits Mapping Fault value Key value 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 = 240 4 faults can break the key • 4 x 32 reduced to 4 x 8 bits • Remaining entropy is 32 bits • Can be brute forced K0 K10 K13K7
One fault catches all • Inject fault before in round 8 Fault randomly changes chosen byte • MixColumn propagates fault in column • ShiftRow propagates fault to 4 cells • MixColumn propagates 4 faults in 4 columns • ShiftRow propagates 4 faults to 16 cells, exposing 16 key bytes • So, one correct + fault pair + 32 bit brute force reveals 128 bit key! 7 AddKey Substitute ShiftRow AddKey Output Substitute ShiftRow MixColumn Fault 9th round 10th round MixColumn ShiftRow AddKey MixColumn 8th round 9th round MixColumn ShiftRow
What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? 8 Faults in same column are non-distinguishable
What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? blind byte hit multiplies search space by 4 • Unknown round hit? blind round hit multiplies search space by 10 • Unknown operation hit? 9 void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; } Alternative faults change effect
What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? blind byte hit multiplies search space by 4 • Unknown round hit? blind round hit multiplies search space by 10 • Unknown operation hit? out-of-model faults mess up the key search Practice • 32 bit AES brute force takes 20 minutes • With unknowns this can grow to days  • Brute force key search impossible when input missing • We hate waiting  10
Our approach Experience If a target is vulnerable to fault injection, it’s relatively easy to collect multiple faults Procedure 1. acquire outputs while injecting faults (almost a minute) 2. select faults that match the fault model (few ms) 3. use voting and exclusion to reduce key space to 0..24 bits using 24..50 faults (few ms) 4. brute force to match input or fault model (few sec) 11 We replace single-fault DFA by single-minute DFA
1. Acquisition Glitch parameters response trigger glitch command
2. Fault selection • Hit ‘Key addition’, ‘Substitute’, Shift row’, or ‘Mix column’ • Check that only 4 output bytes change • Accept that some faults have alternative fault model Usable Too little Too much 13 void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; }
3. Key space reduction (one fault) • 4 potential fault bytes per group → join possible key values • Almost half of all key bytes match  • Frequency = probability  14 Fault in A Fault in B Fault in C Fault in D Fault in ANY A E I M B F J N C G K O D H L P
3. Key space reduction (multi fault) 15 1 2 1+2 sum(8) sum(12) 1 2 1*2*(1+2) prodsum(4) prodsum(8) Voting Voting and Exclusion Full key extraction takes 32 up to 50 unique faults
4. Brute force When to brute force? • Verify correctness of candidates • Only few faults available • Can be efficient when 24 bits (or less) missing • Too little variation in faults How to brute force? • Match keys with input/output • Reverse last round and detect earlier faults 16
Conclusion • Prior AES DFA work not practical due to • Unknowns • Out-of-model faults • DFA practical when • Fault selection on format • Candidates selected by voting • Practical DFA on AES can be fast replace ‘single-fault’ by ‘single-minute’ • Remaining research questions • Attack skipped rounds? • Attack without duplicate plaintext? 17
Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA 94105 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Contact: Marc Witteman CTO

Recommended

Deep Object Detectors #1 (~2016.6)
Deep Object Detectors #1 (~2016.6)Deep Object Detectors #1 (~2016.6)
Deep Object Detectors #1 (~2016.6)Ildoo Kim
 
Applied Deep Learning 11/03 Convolutional Neural Networks
Applied Deep Learning 11/03 Convolutional Neural NetworksApplied Deep Learning 11/03 Convolutional Neural Networks
Applied Deep Learning 11/03 Convolutional Neural NetworksMark Chang
 
CNN Attention Networks
CNN Attention NetworksCNN Attention Networks
CNN Attention NetworksTaeoh Kim
 
Focal loss의 응용(Detection & Classification)
Focal loss의 응용(Detection & Classification)Focal loss의 응용(Detection & Classification)
Focal loss의 응용(Detection & Classification)홍배 김
 
Wishbone interface and bus cycles
Wishbone interface and bus cyclesWishbone interface and bus cycles
Wishbone interface and bus cyclesdennis gookyi
 
Unsupervised visual representation learning overview: Toward Self-Supervision
Unsupervised visual representation learning overview: Toward Self-SupervisionUnsupervised visual representation learning overview: Toward Self-Supervision
Unsupervised visual representation learning overview: Toward Self-SupervisionLEE HOSEONG
 
LUNA-88K, emulators, and me
LUNA-88K, emulators, and meLUNA-88K, emulators, and me
LUNA-88K, emulators, and meKenji Aoyama
 
YOLO9000 - PR023
YOLO9000 - PR023YOLO9000 - PR023
YOLO9000 - PR023Jinwon Lee
 

Recommended

Deep Object Detectors #1 (~2016.6)
Deep Object Detectors #1 (~2016.6)Deep Object Detectors #1 (~2016.6)
Deep Object Detectors #1 (~2016.6)Ildoo Kim
 
Applied Deep Learning 11/03 Convolutional Neural Networks
Applied Deep Learning 11/03 Convolutional Neural NetworksApplied Deep Learning 11/03 Convolutional Neural Networks
Applied Deep Learning 11/03 Convolutional Neural NetworksMark Chang
 
CNN Attention Networks
CNN Attention NetworksCNN Attention Networks
CNN Attention NetworksTaeoh Kim
 
Focal loss의 응용(Detection & Classification)
Focal loss의 응용(Detection & Classification)Focal loss의 응용(Detection & Classification)
Focal loss의 응용(Detection & Classification)홍배 김
 
Wishbone interface and bus cycles
Wishbone interface and bus cyclesWishbone interface and bus cycles
Wishbone interface and bus cyclesdennis gookyi
 
Unsupervised visual representation learning overview: Toward Self-Supervision
Unsupervised visual representation learning overview: Toward Self-SupervisionUnsupervised visual representation learning overview: Toward Self-Supervision
Unsupervised visual representation learning overview: Toward Self-SupervisionLEE HOSEONG
 
LUNA-88K, emulators, and me
LUNA-88K, emulators, and meLUNA-88K, emulators, and me
LUNA-88K, emulators, and meKenji Aoyama
 
YOLO9000 - PR023
YOLO9000 - PR023YOLO9000 - PR023
YOLO9000 - PR023Jinwon Lee
 
System verilog assertions (sva) ( pdf drive )
System verilog assertions (sva) ( pdf drive )System verilog assertions (sva) ( pdf drive )
System verilog assertions (sva) ( pdf drive )sivasubramanian manickam
 
Focal loss for dense object detection
Focal loss for dense object detectionFocal loss for dense object detection
Focal loss for dense object detectionDaeHeeKim31
 
Uncertainty Estimation in Deep Learning
Uncertainty Estimation in Deep LearningUncertainty Estimation in Deep Learning
Uncertainty Estimation in Deep LearningChristian Perone
 
YOLO V6
YOLO V6YOLO V6
YOLO V6taeseon ryu
 
Tutorial on Deep Generative Models
Tutorial on Deep Generative Models Tutorial on Deep Generative Models
Tutorial on Deep Generative ModelsMLReview
 
[GAN by Hung-yi Lee]Part 1: General introduction of GAN
[GAN by Hung-yi Lee]Part 1: General introduction of GAN[GAN by Hung-yi Lee]Part 1: General introduction of GAN
[GAN by Hung-yi Lee]Part 1: General introduction of GANNAVER Engineering
 
SSD: Single Shot MultiBox Detector (UPC Reading Group)
SSD: Single Shot MultiBox Detector (UPC Reading Group)SSD: Single Shot MultiBox Detector (UPC Reading Group)
SSD: Single Shot MultiBox Detector (UPC Reading Group)Universitat Politècnica de Catalunya
 
Introduction to DPDK RIB library
Introduction to DPDK RIB libraryIntroduction to DPDK RIB library
Introduction to DPDK RIB libraryГлеб Хохлов
 
Introduction of DiscoGAN
Introduction of DiscoGANIntroduction of DiscoGAN
Introduction of DiscoGANSeongcheol Baek
 
Verilog HDL
Verilog HDL Verilog HDL
Verilog HDL HasmukhPKoringa
 
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...ssuserffe940
 
Photorealistic style transfer via wavelet transforms
Photorealistic style transfer via wavelet transformsPhotorealistic style transfer via wavelet transforms
Photorealistic style transfer via wavelet transformssoul8085
 
Faster R-CNN
Faster R-CNNFaster R-CNN
Faster R-CNNrlawjdgns
 
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesSession 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesNirav Desai
 
Cs231n 2017 lecture10 Recurrent Neural Networks
Cs231n 2017 lecture10 Recurrent Neural NetworksCs231n 2017 lecture10 Recurrent Neural Networks
Cs231n 2017 lecture10 Recurrent Neural NetworksYanbin Kong
 
system verilog
system verilogsystem verilog
system verilogVinchipsytm Vlsitraining
 
I2C bus specification version 2.1
I2C bus specification version 2.1I2C bus specification version 2.1
I2C bus specification version 2.1Mike Yan
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 
Object Detection and Ship Classification Using YOLOv5
Object Detection and Ship Classification Using YOLOv5Object Detection and Ship Classification Using YOLOv5
Object Detection and Ship Classification Using YOLOv5BOHR International Journal of Computer Science (BIJCS)
 
Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)SoumyaBhattacharyya14
 
1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdfnitin571047
 

More Related Content

What's hot

System verilog assertions (sva) ( pdf drive )
System verilog assertions (sva) ( pdf drive )System verilog assertions (sva) ( pdf drive )
System verilog assertions (sva) ( pdf drive )sivasubramanian manickam
 
Focal loss for dense object detection
Focal loss for dense object detectionFocal loss for dense object detection
Focal loss for dense object detectionDaeHeeKim31
 
Uncertainty Estimation in Deep Learning
Uncertainty Estimation in Deep LearningUncertainty Estimation in Deep Learning
Uncertainty Estimation in Deep LearningChristian Perone
 
Tutorial on Deep Generative Models
Tutorial on Deep Generative Models Tutorial on Deep Generative Models
Tutorial on Deep Generative ModelsMLReview
 
[GAN by Hung-yi Lee]Part 1: General introduction of GAN
[GAN by Hung-yi Lee]Part 1: General introduction of GAN[GAN by Hung-yi Lee]Part 1: General introduction of GAN
[GAN by Hung-yi Lee]Part 1: General introduction of GANNAVER Engineering
 
Introduction of DiscoGAN
Introduction of DiscoGANIntroduction of DiscoGAN
Introduction of DiscoGANSeongcheol Baek
 
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...ssuserffe940
 
Photorealistic style transfer via wavelet transforms
Photorealistic style transfer via wavelet transformsPhotorealistic style transfer via wavelet transforms
Photorealistic style transfer via wavelet transformssoul8085
 
Faster R-CNN
Faster R-CNNFaster R-CNN
Faster R-CNNrlawjdgns
 
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesSession 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesNirav Desai
 
Cs231n 2017 lecture10 Recurrent Neural Networks
Cs231n 2017 lecture10 Recurrent Neural NetworksCs231n 2017 lecture10 Recurrent Neural Networks
Cs231n 2017 lecture10 Recurrent Neural NetworksYanbin Kong
 
I2C bus specification version 2.1
I2C bus specification version 2.1I2C bus specification version 2.1
I2C bus specification version 2.1Mike Yan
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 

What's hot (20)

System verilog assertions (sva) ( pdf drive )
System verilog assertions (sva) ( pdf drive )System verilog assertions (sva) ( pdf drive )
System verilog assertions (sva) ( pdf drive )
 
Focal loss for dense object detection
Focal loss for dense object detectionFocal loss for dense object detection
Focal loss for dense object detection
 
Uncertainty Estimation in Deep Learning
Uncertainty Estimation in Deep LearningUncertainty Estimation in Deep Learning
Uncertainty Estimation in Deep Learning
 
YOLO V6
YOLO V6YOLO V6
YOLO V6
 
Tutorial on Deep Generative Models
Tutorial on Deep Generative Models Tutorial on Deep Generative Models
Tutorial on Deep Generative Models
 
[GAN by Hung-yi Lee]Part 1: General introduction of GAN
[GAN by Hung-yi Lee]Part 1: General introduction of GAN[GAN by Hung-yi Lee]Part 1: General introduction of GAN
[GAN by Hung-yi Lee]Part 1: General introduction of GAN
 
SSD: Single Shot MultiBox Detector (UPC Reading Group)
SSD: Single Shot MultiBox Detector (UPC Reading Group)SSD: Single Shot MultiBox Detector (UPC Reading Group)
SSD: Single Shot MultiBox Detector (UPC Reading Group)
 
Introduction to DPDK RIB library
Introduction to DPDK RIB libraryIntroduction to DPDK RIB library
Introduction to DPDK RIB library
 
Introduction of DiscoGAN
Introduction of DiscoGANIntroduction of DiscoGAN
Introduction of DiscoGAN
 
Verilog HDL
Verilog HDL Verilog HDL
Verilog HDL
 
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Gen...
 
Photorealistic style transfer via wavelet transforms
Photorealistic style transfer via wavelet transformsPhotorealistic style transfer via wavelet transforms
Photorealistic style transfer via wavelet transforms
 
Faster R-CNN
Faster R-CNNFaster R-CNN
Faster R-CNN
 
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesSession 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfaces
 
Cs231n 2017 lecture10 Recurrent Neural Networks
Cs231n 2017 lecture10 Recurrent Neural NetworksCs231n 2017 lecture10 Recurrent Neural Networks
Cs231n 2017 lecture10 Recurrent Neural Networks
 
system verilog
system verilogsystem verilog
system verilog
 
I2C bus specification version 2.1
I2C bus specification version 2.1I2C bus specification version 2.1
I2C bus specification version 2.1
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdb
 
Object Detection and Ship Classification Using YOLOv5
Object Detection and Ship Classification Using YOLOv5Object Detection and Ship Classification Using YOLOv5
Object Detection and Ship Classification Using YOLOv5
 

Similar to Practical Differential Fault Attack on AES

Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)SoumyaBhattacharyya14
 
Error detection enhanced decoding of difference set codes for memory applicat...
Error detection enhanced decoding of difference set codes for memory applicat...Error detection enhanced decoding of difference set codes for memory applicat...
Error detection enhanced decoding of difference set codes for memory applicat...Sherin Deena Sam
 
5707_10_auto-encoder.pptx
5707_10_auto-encoder.pptx5707_10_auto-encoder.pptx
5707_10_auto-encoder.pptxSidoriOne
 
3F4ecc.ppt
3F4ecc.ppt3F4ecc.ppt
3F4ecc.pptAnnymus
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021
Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021
Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021Sergey Karayev
 
Lcdf4 chap 03_p2
Lcdf4 chap 03_p2Lcdf4 chap 03_p2
Lcdf4 chap 03_p2ozgur_can
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
New error-detection
New error-detectionNew error-detection
New error-detectionNitesh Singh
 
New error-detection (2)
New error-detection (2)New error-detection (2)
New error-detection (2)Nitesh Singh
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Memory ECC - The Comprehensive of SEC-DED.
Memory ECC - The Comprehensive of SEC-DED. Memory ECC - The Comprehensive of SEC-DED.
Memory ECC - The Comprehensive of SEC-DED. Sk Cheah
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat Security Conference
 
Technical Meeting Tisigram 2015 HIMAKOM POLBAN
Technical Meeting Tisigram 2015 HIMAKOM POLBANTechnical Meeting Tisigram 2015 HIMAKOM POLBAN
Technical Meeting Tisigram 2015 HIMAKOM POLBANMuhammad Saiful Islam
 
Predicting Recurring Crash Stacks (ASE 2012)
Predicting Recurring Crash Stacks (ASE 2012)Predicting Recurring Crash Stacks (ASE 2012)
Predicting Recurring Crash Stacks (ASE 2012)Sung Kim
 
what engineers don't know (but probably mathematicians do)
what engineers don't know (but probably mathematicians do)what engineers don't know (but probably mathematicians do)
what engineers don't know (but probably mathematicians do)budi rahardjo
 

Similar to Practical Differential Fault Attack on AES (20)

Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)
 
1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdf
 
section-8.ppt
section-8.pptsection-8.ppt
section-8.ppt
 
Error detection enhanced decoding of difference set codes for memory applicat...
Error detection enhanced decoding of difference set codes for memory applicat...Error detection enhanced decoding of difference set codes for memory applicat...
Error detection enhanced decoding of difference set codes for memory applicat...
 
5707_10_auto-encoder.pptx
5707_10_auto-encoder.pptx5707_10_auto-encoder.pptx
5707_10_auto-encoder.pptx
 
03 UNIT-2.pdf
03 UNIT-2.pdf03 UNIT-2.pdf
03 UNIT-2.pdf
 
3F4ecc.ppt
3F4ecc.ppt3F4ecc.ppt
3F4ecc.ppt
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptography
 
Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021
Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021
Lecture 2.A: Convolutional Networks - Full Stack Deep Learning - Spring 2021
 
Lcdf4 chap 03_p2
Lcdf4 chap 03_p2Lcdf4 chap 03_p2
Lcdf4 chap 03_p2
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
New error-detection
New error-detectionNew error-detection
New error-detection
 
New error-detection (2)
New error-detection (2)New error-detection (2)
New error-detection (2)
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Memory ECC - The Comprehensive of SEC-DED.
Memory ECC - The Comprehensive of SEC-DED. Memory ECC - The Comprehensive of SEC-DED.
Memory ECC - The Comprehensive of SEC-DED.
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an email
 
Technical Meeting Tisigram 2015 HIMAKOM POLBAN
Technical Meeting Tisigram 2015 HIMAKOM POLBANTechnical Meeting Tisigram 2015 HIMAKOM POLBAN
Technical Meeting Tisigram 2015 HIMAKOM POLBAN
 
Predicting Recurring Crash Stacks (ASE 2012)
Predicting Recurring Crash Stacks (ASE 2012)Predicting Recurring Crash Stacks (ASE 2012)
Predicting Recurring Crash Stacks (ASE 2012)
 
what engineers don't know (but probably mathematicians do)
what engineers don't know (but probably mathematicians do)what engineers don't know (but probably mathematicians do)
what engineers don't know (but probably mathematicians do)
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
 

More from Riscure

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure IntroductionRiscure
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passportsRiscure
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsRiscure
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCERiscure
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionRiscure
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresRiscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Riscure
 

More from Riscure (19)

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding Countermeasures
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Practical Differential Fault Attack on AES

  • 1. Practical DFA on AES Marc Witteman – CTO June 13, 2013
  • 2. DFA on AES, how hard is that? • 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults • 2013 Christophe Giraud and Adrian Thillard 1 fault • 2013 Riscure up to 50 faults Is Riscure stupid? 2
  • 3. Outline • How does single fault DFA on AES work? • What’s wrong with single fault DFA? • So, how does Riscure do DFA? • Demo 3
  • 4. Fault impact on AES • Inject fault before ultimate MixColumn Fault randomly changes chosen byte • MixColumn propagates fault in column • ShiftRow propagates fault to 4 cells • One fault affects 4 output bytes 4 AddKey Substitute ShiftRow AddKey Output Substitute ShiftRow MixColumn Fault 9th round 10th round MixColumn ShiftRow
  • 5. Finding the fault value • Fault in specific byte propagates to 4 output bytes • Each fault pair of correct and faulty output bytes halves the number of values for the random fault Out0 on fault Out7 on fault Out10 on fault Out13 on fault Outall on fault Group of 4 affected output bytes reduces possible fault values in known byte to about 15
  • 6. Finding the key value • A specific fault value matches with two key values • Group key space reduced from 32 bits to ~8 bits Mapping Fault value Key value 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 = 240 4 faults can break the key • 4 x 32 reduced to 4 x 8 bits • Remaining entropy is 32 bits • Can be brute forced K0 K10 K13K7
  • 7. One fault catches all • Inject fault before in round 8 Fault randomly changes chosen byte • MixColumn propagates fault in column • ShiftRow propagates fault to 4 cells • MixColumn propagates 4 faults in 4 columns • ShiftRow propagates 4 faults to 16 cells, exposing 16 key bytes • So, one correct + fault pair + 32 bit brute force reveals 128 bit key! 7 AddKey Substitute ShiftRow AddKey Output Substitute ShiftRow MixColumn Fault 9th round 10th round MixColumn ShiftRow AddKey MixColumn 8th round 9th round MixColumn ShiftRow
  • 8. What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? 8 Faults in same column are non-distinguishable
  • 9. What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? blind byte hit multiplies search space by 4 • Unknown round hit? blind round hit multiplies search space by 10 • Unknown operation hit? 9 void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; } Alternative faults change effect
  • 10. What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? blind byte hit multiplies search space by 4 • Unknown round hit? blind round hit multiplies search space by 10 • Unknown operation hit? out-of-model faults mess up the key search Practice • 32 bit AES brute force takes 20 minutes • With unknowns this can grow to days  • Brute force key search impossible when input missing • We hate waiting  10
  • 11. Our approach Experience If a target is vulnerable to fault injection, it’s relatively easy to collect multiple faults Procedure 1. acquire outputs while injecting faults (almost a minute) 2. select faults that match the fault model (few ms) 3. use voting and exclusion to reduce key space to 0..24 bits using 24..50 faults (few ms) 4. brute force to match input or fault model (few sec) 11 We replace single-fault DFA by single-minute DFA
  • 13. 2. Fault selection • Hit ‘Key addition’, ‘Substitute’, Shift row’, or ‘Mix column’ • Check that only 4 output bytes change • Accept that some faults have alternative fault model Usable Too little Too much 13 void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; }
  • 14. 3. Key space reduction (one fault) • 4 potential fault bytes per group → join possible key values • Almost half of all key bytes match  • Frequency = probability  14 Fault in A Fault in B Fault in C Fault in D Fault in ANY A E I M B F J N C G K O D H L P
  • 15. 3. Key space reduction (multi fault) 15 1 2 1+2 sum(8) sum(12) 1 2 1*2*(1+2) prodsum(4) prodsum(8) Voting Voting and Exclusion Full key extraction takes 32 up to 50 unique faults
  • 16. 4. Brute force When to brute force? • Verify correctness of candidates • Only few faults available • Can be efficient when 24 bits (or less) missing • Too little variation in faults How to brute force? • Match keys with input/output • Reverse last round and detect earlier faults 16
  • 17. Conclusion • Prior AES DFA work not practical due to • Unknowns • Out-of-model faults • DFA practical when • Fault selection on format • Candidates selected by voting • Practical DFA on AES can be fast replace ‘single-fault’ by ‘single-minute’ • Remaining research questions • Attack skipped rounds? • Attack without duplicate plaintext? 17
  • 18. Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA 94105 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Contact: Marc Witteman CTO